The Financial Services Agency (FSA) criticised the exchanges for lacking the proper internal control systems, and ordered them to make improvement in areas from risk management to preventing the criminal use of digital money. The FSA rap on Thursday briefly drove down bitcoin prices.
The exchanges included Coincheck, served with its second such notice since it was targeted in the late-January heist, and GMO Coin, run by GMO Internet Inc. Bit Station and FSHO were ordered to halt operations for a month.
The punishments represent the FSA's broadest response yet to concerns over security at Japanese cryptocurrency exchanges, which were first triggered by the 2014 collapse of the Mt. Gox exchange and resurfaced with the Coincheck heist.
The regulator said Coincheck lacked proper systems for dealing with risks such as money laundering and terrorism financing. It gave the exchange until March 22 to submit a report on how it would improve.
At a briefing after the FSA's sanctions, Coincheck CEO Koichiro Wada told reporters that the exchange's systems "weren't in keeping with the expansion of our business".
Wada said he was looking at options, including resignation, to take responsibility for the hack.
Coincheck will from next week repay about 46 billion yen ($434 million) to investors who had lost digital money, the exchange said, adding it would lift curbs on the trading of some cryptocurrencies imposed after the theft.
PROBLEM: UNREGISTERED EXCHANGES
Bitcoin <BTC=BTSP> fell as much as 5.7 percent following FSA's criticism, before recovering to trade up about 2 percent at $10,124 by 0930 GMT.
The virtual currency hit a peak of $19,458 in December, but has since almost halved given a series of crackdowns by regulators across the globe on the digital coin trade.
Japan last year became the world's first country to regulate cryptocurrency exchanges. Some 16 exchanges are currently registered, while another 16, including Coincheck, were allowed to continue operating while their applications are checked.
Five of the seven exchanges punished by the FSA are unregistered, including the two forced to suspend business.
A senior employee at Bit Station used customers' bitcoin for their own purposes, the FSA said, adding that the exchange has now offered to drop its registration application.
Bit Station and FSHO did not immediately respond to emailed requests for comment.
The head of the ruling Liberal Democratic Party's cybersecurity taskforce said it was not ideal that exchanges that had not registered with the government should be allowed to continue operations.
"It's problematic that these 16 unregistered exchanges have been able to continue trading," Sanae Takaichi told Reuters. "In the first place, should they have been allowed to operate while their applications for registrations are still incomplete?"
HOT AND COLD WALLETS
The theft from Coincheck, one of the biggest digital money heists ever, underscores the risks policymakers across the globe face in regulating cryptocurrency trading.
Coincheck said a hacker used malware to break into its network before stealing an encrypted key and withdrawing the digital coins. The stolen coins were then stored in "hot wallets" or digital folders accessible from the internet.
Coincheck said it had moved coins stored in some hot wallets to more secure "cold wallets" - computers or drives not connected to the internet.
At GMO Coin, one of the two registered exchanges sanctioned, the FSA said system glitches occurred frequently but the company had failed to sufficiently analyse the root cause. The regulator ordered it to submit a report by March 22.
Shares in GMO Internet fell as much as 5.6 percent. The benchmark Nikkei average <.N225> closed up 0.5 percent.
"We will look again at our system risk management, and take thorough steps to improve to regain users' trust," a GMO spokeswoman said.
(Reporting by Taiga Uranaka and Thomas Wilson; Editing by Chris Gallagher, Sam Holmes and Himani Sarkar)
By Taiga Uranaka and Thomas Wilson